Packetstorm opens bug bounty programme with $7,000 top reward

Packetstorm has joined the exploit hunting race by offering avid hackers rewards of up to $7,000 for working exploits in its newly announced Bug Bounty programme.

The programme was announced on Wednesday and offers willing computer wizards the chance to earn money finding bugs.

"Bug bounty programmes are nothing new. We have seen various initiatives started in the community and have had a lot of discussion internally regarding whether or not such a programme causes a positive impact," Packetstorm said.

The current bounty list features a number of different targets, ranging from a bottom end $350 for a Microsoft .NET Framework Remote Code Execution to massive $7,000 for an Adobe Reader / Acrobat Code Execution.

"Different issues and different levels of exploit offer different levels of compensation. Typical payout for a working exploit ranges from $1,000 to $7,000. If you have a zero-day that you believe is worth a lot more, there is the opportunity for larger payouts, but that requires a different discussion. Nothing is off the table," wrote Packetstorm

Bug hunting programmes have become a heated topic in recent years, with numerous companies, including Google, instigating bounty programmes to help improve their products security.

However, the Packetstorm programme is different in that it aims to help improve cyber security as whole using a full disclosure policy. The policy will see all exploits made public for anyone to download and use 60 days after submission.

"Other companies that buy exploits for their penetration testing war chest rarely share them with the public and once bought, require that the author does not share them. We are going the other direction on this idea. If the author of the exploit permits it, we will release them publicly after 60 days for everyone to download," Packetstorm added.

"It helps the greater good and is in line with our initiative to provide security engineers the ability to test their systems for recently patched vulnerabilities."

The security community has yet to respond to Packetstorm's new programme though it could well be met with a similarly split reaction. Good idea or a misguided attempt to help? Let us know your thoughts.